US10924371B2 - Method for monitoring a first node in a communications network and monitoring system - Google Patents

Method for monitoring a first node in a communications network and monitoring system Download PDF

Info

Publication number
US10924371B2
US10924371B2 US15/088,299 US201615088299A US10924371B2 US 10924371 B2 US10924371 B2 US 10924371B2 US 201615088299 A US201615088299 A US 201615088299A US 10924371 B2 US10924371 B2 US 10924371B2
Authority
US
United States
Prior art keywords
node
channel
time values
dual
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/088,299
Other versions
US20160218946A1 (en
Inventor
Oliver Ellerbrock
Jens Sachs
Robert Zutz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beckhoff Automation GmbH and Co KG
Original Assignee
Beckhoff Automation GmbH and Co KG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beckhoff Automation GmbH and Co KG filed Critical Beckhoff Automation GmbH and Co KG
Assigned to Beckhoff Automation GmbH & Co. KG reassignment Beckhoff Automation GmbH & Co. KG ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ELLERBROCK, OLIVER, ZUTZ, Robert, SACHS, JENS
Publication of US20160218946A1 publication Critical patent/US20160218946A1/en
Assigned to BECKHOFF AUTOMATION GMBH reassignment BECKHOFF AUTOMATION GMBH CORRECTIVE ASSIGNMENT TO CORRECT THE NAME OF THE ASSIGNEE PREVIOUSLY RECORDED ON REEL 038252 FRAME 108. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: ELLERBROCK, OLIVER, SACHS, JENS, ZUTZ, Robert
Assigned to BECKHOFF AUTOMATION GMBH reassignment BECKHOFF AUTOMATION GMBH CHANGE OF ASSIGNEE ADDRESS Assignors: BECKHOFF AUTOMATION GMBH
Application granted granted Critical
Publication of US10924371B2 publication Critical patent/US10924371B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • H04L43/106Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0721Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment within a central processing unit [CPU]
    • G06F11/0724Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment within a central processing unit [CPU] in a multiprocessor or a multi-core unit
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • H04J3/0638Clock or time synchronisation among nodes; Internode synchronisation
    • H04J3/0658Clock or time synchronisation among packet nodes
    • H04J3/0661Clock or time synchronisation among packet nodes using timestamps
    • H04J3/0664Clock or time synchronisation among packet nodes using timestamps unidirectional timestamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0695Management of faults, events, alarms or notifications the faulty arrangement being the maintenance, administration or management system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0681Configuration of triggering conditions

Definitions

  • the invention relates to a method for monitoring a first node in a communications network and to a monitoring system.
  • DE 10 2012 023 748 A1 discloses a method for synchronizing sensors, in which method a clock from a timer in the sensors is compared with a clock from a central timer in a control unit.
  • DE 103 61 178 A1 discloses a communications network in which the nodes compare time offsets in time-stamped messages.
  • EP 2 648 100 A1 discloses a process-monitoring device and an automation unit comprising such a device.
  • the object of the invention can be considered that of providing an improved method for monitoring a first node in a communications network.
  • the object of the invention can be considered that of providing an improved monitoring system.
  • a method for monitoring a first node in a communications network determines at each of two consecutive time points a time value, which is based on an internal timer of the second node, and sends each determined time value to the first node via the communications network.
  • the first node in response to each receipt of the sent time values, determines a further time value, which is based on a further internal timer of the first node, wherein the first node compares a difference between the two time values from the second node with a difference between the two further time values from the first node, wherein the first node goes into an error state depending on the comparison.
  • a method for monitoring a first node in a communications network by a second node comprising the steps:
  • a monitoring system comprising a first node and a second node in a communications network.
  • the first node has a single-channel design comprising a processor, and is designed to execute a safety-oriented application.
  • the second node has a dual-channel design comprising two processors, which monitor each other for malfunctions, and wherein a safety protocol is used for a data transfer between the first node and the second node on the communications network.
  • the dual-channel second node further comprises an internal timer and a communications interface, wherein the one processor of the dual-channel second node is designed to determine a time value on the basis of the internal timer, and wherein the communications interface is designed to send the determined time values to the single-channel first node via the communications network.
  • the first node comprises a further internal timer and a further communications interface, wherein the communications interface is designed to receive the time values from the dual-channel second node via the communications network, and wherein the processor of the single-channel first node is designed to determine, in response to each receipt of the sent time values from the dual-channel second node, a further time value based on the further internal timer, and to compare a difference between the two time values from the dual-channel second node with a difference between the two further time values from the single-channel first node, wherein the first node is designed to go into an error state depending on the comparison.
  • FIG. 1 is a flow diagram of a method for monitoring a first node of a communications network
  • FIG. 2 shows a system for monitoring a first node of a communications network
  • FIG. 3 shows a node for a communications network
  • FIG. 4 shows a further node for a communications network.
  • a method for monitoring a first node in a communications network is provided.
  • a system for monitoring a first node of a communications network comprising:
  • a node for a communications network comprises:
  • a node for a communications network comprises:
  • the node that sends the time values to the further node via the communications network is referred to as the second node.
  • the node that receives these time values is referred to as the first node.
  • the prefix “further” is added to the timer, the communications interface and the processor of the first node.
  • the invention includes in particular the idea that a second node of the communications network sends time values, which are determined at two consecutive time points, to the first node via the communications network.
  • This first node forms a difference in these two time values, i.e. a delta ( ⁇ ).
  • said first node itself determines further time values, which time values are associated with the respective receive times of the sent time values from the second node.
  • the first node forms a corresponding difference, i.e. a delta ( ⁇ ), from the time values it has determined.
  • the first node compares these two differences. The first node goes into an error state depending on the comparison.
  • the determined time values are based on the internal timer of the first node and of the second node, comparing the corresponding differences in the time values advantageously makes it possible to check whether the two internal timers of the two nodes are running synchronously or whether the further internal timer of the first node is running faster or slower than the internal timer of the second node.
  • the communications network does not need to comprise an additional, separate external master clock, in other words a separate external timer.
  • the internal timer of the second node is used for this purpose.
  • the sent time value therefore does not need to include an absolute date. This reduces a corresponding volume of data to be sent.
  • the time value determined at a time point equals in particular a counter value, which is incremented or decremented on the basis of the internal timer of the first node or second node.
  • the second node determines at two consecutive time points a corresponding counter value, and then sends these counter values to the first node.
  • the first node itself determines at the respective receive times of these counter values an internal counter value of a further internal counter of the first node, which is incremented or decremented on the basis of the further internal timer.
  • the respective timers provide a clock, for instance a millisecond clock, for the incrementing or decrementing.
  • the two internal timers of the two nodes are running synchronously with each other, then the two counters should have been incremented or decremented by the same amount, within the bounds of accuracy given by measurement tolerances or random or systematic errors. If the two differences differ by a defined threshold value, however, it is assumed that the two internal timers are no longer running synchronously with each other, with one running faster or slower than the other. In this case it is then provided particularly that the first node goes into an error state. Said defined threshold value depends, for example, on the specific application.
  • the threshold value for triggering the error state depends on a time resolution of the two internal timers.
  • the smallest common unit of time of the two internal timers is preferably used, such as, for instance, 1 ms, particularly 10 ms or also preferably 100 ms, and the smallest common unit of time is increased by a percentage value, for example by 20%, particularly by 30%.
  • a time safety margin is applied to the smallest unit of time.
  • the increased common unit of time forms the threshold value. If the difference in two consecutive timer values or time values differs by more than the smallest common unit of time increased by the percentage value, so for instance by more than 20%, the error state is assumed and the first node hence goes into an error state.
  • the time values from the second node are determined at a defined time interval from respective send times of the time values. This achieves in particular the technical advantage that any jitter in the timer generation can be minimized. This is by virtue of delaying until the defined time interval before the transmission of the time value, when the current time value or counter value of the counter is then used.
  • the defined time interval lies particularly in the microsecond range, particularly in a range of 1 ⁇ s to 1000 ⁇ s, for example between 1 ⁇ s and 500 ⁇ s, in particular between 1 ⁇ s and 100 ⁇ s, preferably between 1 ⁇ s and 10 ⁇ s.
  • the second node has a dual-channel design and the first node has a single-channel design.
  • the dual-channel design In particular the second node has increased redundancy and reliability. Since the second node already has a dual-channel design, this need not necessarily also still be the case for the first node. It is sufficient in this case for said node to have a single-channel design. This simplifies a corresponding system design.
  • the first node can be produced more cheaply. For example, it can be in the form of a standard “personal computer” (PC).
  • PC personal computer
  • the second node comprises two processors, in particular two microprocessors, for example two microcontrollers.
  • the first node preferably comprises a single processor.
  • the two processors of the second node are thus designed in particular to monitor each other for malfunctions. If one of the processors has a malfunction, the other processor of the second node can still perform functions of the first processor. Both processors are designed particularly to determine the relevant timer values or time values.
  • the second node sends the time values to the first node regardless of any module error associated with an electronic module connected to the second node.
  • the second node sends the time values to the first node even in the event of a module error.
  • the first node can check its internal timer on the basis of the sent time values from the second node. This advantageously ensures that it is still possible to monitor the first node even in the event of a module error.
  • an electronic module is an actuator or a sensor which is connected to the second node.
  • the second node reads the sensor or controls the actuator. If an error occurs during the control operation or read operation, for example, this is referred to as a module error. In particular if the sensor or actuator has a malfunction, then this is also referred to in particular as a module error.
  • a module error In particular if the sensor or actuator has a malfunction, then this is also referred to in particular as a module error.
  • the second node regardless of such errors, determines or generates relevant time values and sends these time values to the first node via the communications network.
  • a module error may include, for instance, a fault in external wiring for the module.
  • the time value is thus still generated in particular regardless of such module errors.
  • module errors can be detected by means of an input terminal and/or output terminal of a bus terminal system, where the terminals are nodes of the communications network.
  • the communications network is an EtherCAT communications network.
  • the communications network is a Fieldbus communications network, in particular it is a Profibus or a Profinet communications system.
  • an automation system that comprises the system according to the invention.
  • the automation system is, for example, part of a production facility, in particular of an industrial production facility.
  • the automation system is part of a building automation system, for instance.
  • a safety-oriented application is executed in the first node, or the first node, particularly the further processor, is designed to execute a safety-oriented application. This is done in particular on the basis of the further internal timer of the first node. This means thus in particular that the further internal timer of the first node adopts a timing clock for running or executing the safety-oriented application. It is particularly important here that the further internal timer of the first node works correctly, i.e. is running neither too slow nor too fast. This is because this is particularly important for timing characteristics of switch-on and/or switch-off delays, which are often used in safety-oriented applications.
  • the comparison according to the invention of the time values i.e.
  • comparing the corresponding differences can advantageously be used to ensure that the internal timer of the first node does not slow down or speed up inadmissibly, which could result in it no longer being possible to run correctly the safety-oriented application that is executed in the first node.
  • the design of the first node to go into an error state depending on the comparison includes in particular the case in which the further processor of the first node is designed to go into an error state depending on the comparison.
  • the error state means, for example, that execution of the safety application in the node is stopped, with communication to the external nodes also being suspended, for example, so that after a definable watchdog time, these nodes likewise switch into the safe state and switch off the outputs.
  • the steps of determining the time value, sending the time value to the first node, and, in response to the receipt, the first node determining a further time value are performed, according to one embodiment, successively in a cyclical manner.
  • the cycle corresponds to a data transfer cycle of the communications network.
  • the time value or counter value to be sent is packaged or inserted into a message, which is sent to the first node via the communications network in accordance with the transfer cycle. It is preferably provided to delay determining the counter value or time value until a defined time interval from a message transmission, so that it is advantageously possible to send to the first node a counter value that is as recent as possible.
  • the defined time interval lies in the microsecond range for instance. This achieves in particular the technical advantage that any jitter in generating or determining the time value or counter value can be minimized.
  • FIG. 1 shows a flow diagram of a method for monitoring a first node of a communications network.
  • a second node of the communications network determines at a first time point a time value based on an internal timer of the second node.
  • This time value for example, corresponds to a counter value of an internal counter of the second node, where the internal counter is incremented or decremented in accordance with the clock provided by the internal timer.
  • the second node sends the determined time value, so for instance the counter value at the first time point, to the first node via the communications network.
  • the first node receives this time value, where in response to the receipt the first node determines a further time value according to a step 107 . This is done on the basis of a further internal timer of the first node.
  • this further time value also corresponds to a counter value of an internal counter of the first node at the time of receiving the time value of the second node as given by the step 105 . This internal counter is incremented or decremented on the basis of the further internal timer.
  • Steps 101 to 107 are performed successively in a cyclical manner.
  • the cycle corresponds to a data transfer cycle of the communications network.
  • the time value or counter value to be sent is packaged or inserted into a message, which is sent to the first node via the communications network in accordance with the transfer cycle. It is preferably provided to delay determining the counter value until a defined time interval from a message transmission, so that it is advantageously possible to send to the first node a counter value that is as recent as possible.
  • the defined time interval lies in the microsecond range for instance. This achieves in particular the technical advantage that any jitter in generating or determining the time value or counter value can be minimized.
  • the first node then has available two time values or counter values from the second node that were determined at two consecutive time points.
  • the first node also has available two further time values or counter values, which correspond to those counter values at the respective receive times.
  • the first node compares a difference between the two time values from the second node with a difference between the two further time values from the first node.
  • the first node forms a difference between the two time values from the second node.
  • the first node also forms a difference between the two further time values from the first node.
  • the two differences should be equal. If, on the other hand, the further internal timer of the first node is running faster or slower than the internal timer of the second node, then there is disparity in the respective differences. Should this disparity be greater than a predetermined threshold value, it is provided according to step 111 that the first node goes into an error state.
  • This threshold value depends in particular on the specific application and must take into account particularly parameters such as transfer rate, transmission path and jitter, for example. This is why there is the threshold value, because typically the ideal case rarely occurs in a real environment.
  • the method according to the invention advantageously makes it possible for a second node of the communications network to monitor the first node to check that the internal timer of the first node is not running faster or slower than the internal timer of the second node.
  • This is especially important and particularly advantageous in particular when a safety-oriented application is being executed in the first node and said execution is performed on the basis of a clock provided by the further internal timer.
  • Such execution may be, for example, switching on or switching off specific actuators or final control elements that are controlled on the basis of the safety-oriented application.
  • the communications network is a Fieldbus communications network.
  • This Fieldbus is an EtherCAT Fieldbus, for example.
  • the protocol that is used to send the time values to the first node via the communications network is a Safety over EtherCAT protocol, for instance.
  • This protocol has the advantage in particular of being a SIL3-certified protocol, i.e. a safety protocol. It is generally provided according to one embodiment that communication via the communications network is performed on the basis of the Safety over EtherCAT protocol.
  • FIG. 2 shows a system 201 for monitoring a first node of a communications network.
  • the system 201 comprises a first node 203 and a second node 205 .
  • the communications network 207 which is a Fieldbus communications network for instance
  • the two nodes 203 , 205 each comprise a communications interface. Communication between the two nodes 203 , 205 is performed on the basis of a safety protocol, for instance on the basis of the Safety over EtherCAT protocol in this case.
  • the reference sign 209 points to an arrow which symbolizes a data transfer from the first node 203 to the second node 205 via the Fieldbus 207 .
  • the reference sign 211 points to an arrow which symbolizes a data transfer from the second node 205 to the first node 203 via the Fieldbus 207 .
  • This data transfer 211 transmits both data, for instance payload data, and time values or counter values that the second node 205 has determined as already explained in this description.
  • the second node 205 has a dual-channel design. This means that the second node 205 comprises two processors 213 , 215 , which can be designed as microprocessors or microcontrollers, for instance.
  • the second node 205 comprises an internal timer 219 .
  • the internal timer 219 is a millisecond timer, for example.
  • the internal timer 219 provides a clock, for example a millisecond clock, on the basis of which a counter is incremented or decremented.
  • the counter value at each time point is sent via the Fieldbus 207 to the first node 203 in accordance with the data transfer 211 .
  • This uses a safety protocol 221 , which in this case is the Safety over EtherCAT protocol, for example. It is preferably provided to delay determining the relevant counter value until a defined time interval from the time of the data transfer or message transmission 211 .
  • a counter value that is as recent as possible is thus advantageously used for sending to the first node 203 .
  • the first node 203 receives these counter values in succession and determines in response to each receipt a counter value of an internal counter of the first node 203 , which internal counter is incremented or decremented on the basis of a further internal timer of the first node 203 .
  • This further internal timer of the first node 203 is intended to provide a clock that is the same as, or proportional to, the internal timer 219 of the second node 205 . Thus this means that there is meant to be at least a defined relationship between the respective clocks.
  • a processor 223 of the first node 203 forms respective differences for the respective time values or counter values, and compares said differences with each other. Should the differences have a disparity that is greater than a defined threshold value, then the processor 223 and hence also the node 203 goes into an error state.
  • the first node 203 has a single-channel design in that it has a single processor 223 , although this processor can certainly have a plurality of cores in embodiments that are generally independent of this specific exemplary embodiment.
  • FIG. 3 shows a node 301 for a communications network.
  • the node 301 is an embodiment of a second node for the communications network.
  • such a node 301 comprises a communications interface 303 , an internal timer 305 and a processor 307 .
  • the internal timer 305 provides a clock.
  • the processor 307 is designed to determine a time value on the basis of the internal timer.
  • the communications interface 303 is designed to send via the communications network time values, which are determined by the processor 307 at two consecutive time points, to a further node, for example to the first node of the communications network, for instance the node 203 as shown in FIG. 2 .
  • FIG. 4 shows a further node 401 for a communications network.
  • the node 401 shown in FIG. 4 is a first node in the sense of this description.
  • the node 401 is the node 203 shown in FIG. 2 .
  • such a node 401 has the following design. It comprises a communications interface 403 , which can be referred to as a further communications interface to make a distinction from the communications interface of the second node 301 shown in FIG. 3 .
  • the node 401 also comprises an internal timer 405 , which can likewise be referred to as a further internal timer to make said internal timer more easily distinguishable from the internal timer 305 of the node 301 .
  • the node 401 also comprises a processor 407 , which can be referred to likewise as a further processor to make a distinction from the processor 307 .
  • the further communications interface 403 is designed to receive time values from a further node, for example from the node 301 , via the communications network.
  • the processor 407 is designed to determine, in response to each receipt of the time values, a further time value, which is based on the internal timer 405 , and to compare a difference between the two received time values with a difference between the two further time values.
  • the node 401 in particular the processor 407 , is designed to go into an error state depending on the comparison.
  • the invention includes in particular the idea of providing a method that can be used to monitor a single-channel safe system (first node) by transmitting timer values (time values or counter values) from a dual-channel safe system (second node).
  • a safety protocol in this case FSoE, Safety over EtherCAT
  • FSoE PC-based safety runtime component
  • second node safety-oriented device
  • a Fieldbus preferably also Ethernet-based is used for communication between these devices.
  • Data is transferred cyclically between the two devices by means of the safety protocol.
  • a timer value is additionally transmitted in the channel from the safety device to the single-channel device. This timer value is generated by the safety device, which has a dual-channel design.
  • the PC-based safety runtime component has its own timer, which is compared with the transmitted timer value. If this CPU establishes that the timer values are diverging inadmissibly, the CPU goes into an error state.
  • This comparison of the timer values is needed to ensure that the timer of the single-channel system does not slow down or speed up inadmissibly and thereby prevent the safety-oriented application, which is executed in said system, from being able to execute correctly. This is particularly important for the timing characteristics of switch-on and/or switch-off delays, which are often used in safety-oriented applications.
  • the timer generation function is activated, for example, by the definition of the process image of the safety device.
  • the timer is generated by a high-priority timer task on one of the two ⁇ C (microcontrollers) of the second node.
  • the two microcontrollers monitor each other, with the result that any malfunction in the hardware and/or software is detected (SIL3).
  • the determined timer value is packaged into the safety protocol and transmitted to the single-channel system (first node) in the next FSoE communication cycle.
  • Timer generation preferably still continues even in the event of a module error in the safety device.
  • a safety protocol for instance in this case FSoE (IEC61784-3-12), which is SIL3-certified, is used for the transmission.
  • this invention describes a timer value (from the second node), which can be provided at SIL3 quality to a single-channel safe system (first node).

Abstract

A method and corresponding system are described for monitoring a first node in a communications network by a second node, where the first node has a single-channel design and is designed to execute a safety-oriented application. The second node has a dual-channel design, and a safety protocol is used for a data transfer between the first and second node. The second node determines at each of two consecutive time points a time value based on an internal timer, and sends each determined time value to the first node. The first node in response to each receipt of the time values determines a further time value based on a further internal timer. The first node compares a difference between the two time values from the second node with a difference between the two further time values from the first node, and goes into an error state depending on the comparison.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This application is a continuation of International Patent Application No. PCT/EP2015/073758, filed Oct. 14, 2015, which claims priority to German Patent Application DE 10 2014 114883.5, filed Oct. 14, 2014, each of which is incorporated by reference herein, in the entirety and for all purposes.
FIELD
The invention relates to a method for monitoring a first node in a communications network and to a monitoring system.
BACKGROUND
DE 10 2012 023 748 A1 discloses a method for synchronizing sensors, in which method a clock from a timer in the sensors is compared with a clock from a central timer in a control unit. DE 103 61 178 A1 discloses a communications network in which the nodes compare time offsets in time-stamped messages. EP 2 648 100 A1 discloses a process-monitoring device and an automation unit comprising such a device.
SUMMARY
The object of the invention can be considered that of providing an improved method for monitoring a first node in a communications network.
In addition, the object of the invention can be considered that of providing an improved monitoring system.
According to one aspect, a method for monitoring a first node in a communications network is provided. A second node of the communications network determines at each of two consecutive time points a time value, which is based on an internal timer of the second node, and sends each determined time value to the first node via the communications network. The first node, in response to each receipt of the sent time values, determines a further time value, which is based on a further internal timer of the first node, wherein the first node compares a difference between the two time values from the second node with a difference between the two further time values from the first node, wherein the first node goes into an error state depending on the comparison.
According to another aspect, a method for monitoring a first node in a communications network by a second node is provided. The first node has a single-channel design and is designed to execute a safety-oriented application, wherein the second node has a dual-channel design, and wherein a safety protocol is used for a data transfer between the first node and the second node on the communications network. The method comprising the steps:
    • determining in the dual-channel second node at each of two consecutive time points a time value (211), which is based on an internal timer of the dual-channel second node (205, 301), and the dual-channel second node sending each determined time value to the single-channel first node via the communications network (207),
    • the single-channel first node receiving the sent time value and determining in response to the receipt a further time value (211), which is based on a further internal timer of the single-channel first node, with the result that two further time values are present in the single-channel first node,
    • the single-channel first node comparing a difference between the two time values from the dual-channel second node with a difference between the two further time values from the single-channel first node (203, 401), wherein the single-channel first node goes into an error state depending on the comparison.
According to another aspect a monitoring system comprising a first node and a second node in a communications network is provided. The first node has a single-channel design comprising a processor, and is designed to execute a safety-oriented application. The second node has a dual-channel design comprising two processors, which monitor each other for malfunctions, and wherein a safety protocol is used for a data transfer between the first node and the second node on the communications network. The dual-channel second node further comprises an internal timer and a communications interface, wherein the one processor of the dual-channel second node is designed to determine a time value on the basis of the internal timer, and wherein the communications interface is designed to send the determined time values to the single-channel first node via the communications network. The first node comprises a further internal timer and a further communications interface, wherein the communications interface is designed to receive the time values from the dual-channel second node via the communications network, and wherein the processor of the single-channel first node is designed to determine, in response to each receipt of the sent time values from the dual-channel second node, a further time value based on the further internal timer, and to compare a difference between the two time values from the dual-channel second node with a difference between the two further time values from the single-channel first node, wherein the first node is designed to go into an error state depending on the comparison.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention is explained in more detail below with reference to preferred exemplary embodiments, in which:
FIG. 1 is a flow diagram of a method for monitoring a first node of a communications network;
FIG. 2 shows a system for monitoring a first node of a communications network;
FIG. 3 shows a node for a communications network; and
FIG. 4 shows a further node for a communications network.
 DETAILED DESCRIPTION
According to one aspect, a method for monitoring a first node in a communications network is provided,
    • wherein a second node of the communications network determines at each of two consecutive time points a time value, which is based on an internal timer of the second node, and sends each determined time value to the first node via the communications network,
    • wherein the first node, in response to each receipt of the sent time values, determines a further time value, which is based on a further internal timer of the first node,
    • wherein the first node compares a difference between the two time values from the second node with a difference between the two further time values from the first node,
    • wherein the first node goes into an error state depending on the comparison.
According to another aspect, a system for monitoring a first node of a communications network is provided, comprising:
    • a first node for the communications network and a second node for the communications network,
    • wherein the second node comprises an internal timer, at least one processor, which is designed to determine a time value on the basis of the internal timer, and a communications interface, which is designed to send time values, which are determined by the at least one processor at two consecutive time points, to the first node via the communications network,
    • wherein the first node comprises a further internal timer and a further communications interface, which is designed to receive the time values from the second node via the communications network,
    • wherein the first node comprises a further processor, which is designed to determine, in response to each receipt of the sent time values from the second node, a further time value, which is based on the further internal timer, and to compare a difference between the two time values from the second node with a difference between the two further time values from the first node,
    • wherein the first node is designed to go into an error state depending on the comparison.
According to one aspect, a node for a communications network is provided that comprises:
    • an internal timer,
    • at least one processor, which is designed to determine a time value on the basis of the internal timer, and
    • a communications interface, which is designed to send time values, which are determined by the at least one processor at two consecutive time points, to a further node via the communications network.
According to another aspect, a node for a communications network is provided that comprises:
    • an internal timer,
    • a communications interface, which is designed to receive time values from a further node via the communications network, and
    • a processor, which is designed to determine, in response to each receipt of the time values, a further time value, which is based on the internal timer, and to compare a difference between the two successively received time values with a difference between the two successively determined further time values,
    • wherein the node is designed to go into an error state depending on the comparison.
To make a clearer distinction, the node that sends the time values to the further node via the communications network is referred to as the second node. The node that receives these time values is referred to as the first node. To make it easier to distinguish the node to which the timer, the communications interface and the processor belong, in the description the prefix “further” is added to the timer, the communications interface and the processor of the first node.
Comments made in connection with the method apply analogously also to the system and to the nodes. This means that features, advantages and embodiments of the method arise analogously from the corresponding embodiments of the system or of the nodes, and vice versa.
Thus the invention includes in particular the idea that a second node of the communications network sends time values, which are determined at two consecutive time points, to the first node via the communications network. This first node forms a difference in these two time values, i.e. a delta (Δ). In addition, said first node itself determines further time values, which time values are associated with the respective receive times of the sent time values from the second node. Again in this case, the first node forms a corresponding difference, i.e. a delta (Δ), from the time values it has determined. The first node compares these two differences. The first node goes into an error state depending on the comparison.
Since the determined time values are based on the internal timer of the first node and of the second node, comparing the corresponding differences in the time values advantageously makes it possible to check whether the two internal timers of the two nodes are running synchronously or whether the further internal timer of the first node is running faster or slower than the internal timer of the second node. This advantageously allows monitoring of the internal timer of the first node. This is achieved solely by the second node transmitting to the first node time values that are based on the internal timer of said second node. Thus this means in particular that for checking the further internal timer of the first node, the communications network does not need to comprise an additional, separate external master clock, in other words a separate external timer. Instead, the internal timer of the second node is used for this purpose. By virtue of comparing corresponding differences with each other, it is advantageously no longer necessary for absolute time values to have to be transmitted. The sent time value therefore does not need to include an absolute date. This reduces a corresponding volume of data to be sent.
The time value determined at a time point equals in particular a counter value, which is incremented or decremented on the basis of the internal timer of the first node or second node. Thus this means in particular that the second node determines at two consecutive time points a corresponding counter value, and then sends these counter values to the first node. The first node itself determines at the respective receive times of these counter values an internal counter value of a further internal counter of the first node, which is incremented or decremented on the basis of the further internal timer. The respective timers provide a clock, for instance a millisecond clock, for the incrementing or decrementing.
If the two internal timers of the two nodes are running synchronously with each other, then the two counters should have been incremented or decremented by the same amount, within the bounds of accuracy given by measurement tolerances or random or systematic errors. If the two differences differ by a defined threshold value, however, it is assumed that the two internal timers are no longer running synchronously with each other, with one running faster or slower than the other. In this case it is then provided particularly that the first node goes into an error state. Said defined threshold value depends, for example, on the specific application.
According to one embodiment, the threshold value for triggering the error state depends on a time resolution of the two internal timers. In order to determine the threshold value, the smallest common unit of time of the two internal timers is preferably used, such as, for instance, 1 ms, particularly 10 ms or also preferably 100 ms, and the smallest common unit of time is increased by a percentage value, for example by 20%, particularly by 30%. Thus a time safety margin is applied to the smallest unit of time. The increased common unit of time forms the threshold value. If the difference in two consecutive timer values or time values differs by more than the smallest common unit of time increased by the percentage value, so for instance by more than 20%, the error state is assumed and the first node hence goes into an error state.
According to one embodiment, the time values from the second node are determined at a defined time interval from respective send times of the time values. This achieves in particular the technical advantage that any jitter in the timer generation can be minimized. This is by virtue of delaying until the defined time interval before the transmission of the time value, when the current time value or counter value of the counter is then used. The defined time interval lies particularly in the microsecond range, particularly in a range of 1 μs to 1000 μs, for example between 1 μs and 500 μs, in particular between 1 μs and 100 μs, preferably between 1 μs and 10 μs.
In another embodiment, the second node has a dual-channel design and the first node has a single-channel design. This achieves in particular the technical advantage that for the second node, there is an increased likelihood that the second node detects for itself internal errors or malfunctions. This is thanks to the dual-channel design. In particular the second node has increased redundancy and reliability. Since the second node already has a dual-channel design, this need not necessarily also still be the case for the first node. It is sufficient in this case for said node to have a single-channel design. This simplifies a corresponding system design. In particular, the first node can be produced more cheaply. For example, it can be in the form of a standard “personal computer” (PC). In particular, the second node comprises two processors, in particular two microprocessors, for example two microcontrollers. In contrast, the first node preferably comprises a single processor. The two processors of the second node are thus designed in particular to monitor each other for malfunctions. If one of the processors has a malfunction, the other processor of the second node can still perform functions of the first processor. Both processors are designed particularly to determine the relevant timer values or time values.
In another embodiment, it is provided to send the time values on the basis of the Safety over EtherCAT protocol. This achieves in particular the technical advantage that the time values are transmitted on the basis of a safety protocol that in particular is SIL3-certified. The acronym SIL here stands for Safety Integrity Level. Safety over EtherCAT is internationally standardized in IEC 61784-3-12.
According to another embodiment, the second node sends the time values to the first node regardless of any module error associated with an electronic module connected to the second node. This achieves in particular the technical advantage that the second node sends the time values to the first node even in the event of a module error. Thus even in the event of a module error, the first node can check its internal timer on the basis of the sent time values from the second node. This advantageously ensures that it is still possible to monitor the first node even in the event of a module error.
For example, an electronic module is an actuator or a sensor which is connected to the second node. In other words, the second node reads the sensor or controls the actuator. If an error occurs during the control operation or read operation, for example, this is referred to as a module error. In particular if the sensor or actuator has a malfunction, then this is also referred to in particular as a module error. Thus this means that in the event of any fault in the electronic module or in the event of an error occurring in a control operation or a read operation on the electronic module, this has no effect on determining the time values nor on sending these time values. This means that the second node, regardless of such errors, determines or generates relevant time values and sends these time values to the first node via the communications network. A module error may include, for instance, a fault in external wiring for the module. The time value is thus still generated in particular regardless of such module errors. According to one embodiment, module errors can be detected by means of an input terminal and/or output terminal of a bus terminal system, where the terminals are nodes of the communications network.
According to one embodiment, the communications network is an EtherCAT communications network. According to one embodiment, in general the communications network is a Fieldbus communications network, in particular it is a Profibus or a Profinet communications system.
According to one embodiment, an automation system is provided that comprises the system according to the invention. The automation system is, for example, part of a production facility, in particular of an industrial production facility. The automation system is part of a building automation system, for instance.
According to one embodiment, a safety-oriented application is executed in the first node, or the first node, particularly the further processor, is designed to execute a safety-oriented application. This is done in particular on the basis of the further internal timer of the first node. This means thus in particular that the further internal timer of the first node adopts a timing clock for running or executing the safety-oriented application. It is particularly important here that the further internal timer of the first node works correctly, i.e. is running neither too slow nor too fast. This is because this is particularly important for timing characteristics of switch-on and/or switch-off delays, which are often used in safety-oriented applications. The comparison according to the invention of the time values (i.e. in this case comparing the corresponding differences) can advantageously be used to ensure that the internal timer of the first node does not slow down or speed up inadmissibly, which could result in it no longer being possible to run correctly the safety-oriented application that is executed in the first node.
The design of the first node to go into an error state depending on the comparison includes in particular the case in which the further processor of the first node is designed to go into an error state depending on the comparison.
The error state means, for example, that execution of the safety application in the node is stopped, with communication to the external nodes also being suspended, for example, so that after a definable watchdog time, these nodes likewise switch into the safe state and switch off the outputs.
The steps of determining the time value, sending the time value to the first node, and, in response to the receipt, the first node determining a further time value are performed, according to one embodiment, successively in a cyclical manner. In particular in this case, the cycle corresponds to a data transfer cycle of the communications network. According to one embodiment, the time value or counter value to be sent is packaged or inserted into a message, which is sent to the first node via the communications network in accordance with the transfer cycle. It is preferably provided to delay determining the counter value or time value until a defined time interval from a message transmission, so that it is advantageously possible to send to the first node a counter value that is as recent as possible. The defined time interval lies in the microsecond range for instance. This achieves in particular the technical advantage that any jitter in generating or determining the time value or counter value can be minimized.
FIG. 1 shows a flow diagram of a method for monitoring a first node of a communications network.
According to a step 101, a second node of the communications network determines at a first time point a time value based on an internal timer of the second node. This time value, for example, corresponds to a counter value of an internal counter of the second node, where the internal counter is incremented or decremented in accordance with the clock provided by the internal timer.
In a step 103, the second node sends the determined time value, so for instance the counter value at the first time point, to the first node via the communications network. In a step 105, the first node receives this time value, where in response to the receipt the first node determines a further time value according to a step 107. This is done on the basis of a further internal timer of the first node. For example, this further time value also corresponds to a counter value of an internal counter of the first node at the time of receiving the time value of the second node as given by the step 105. This internal counter is incremented or decremented on the basis of the further internal timer.
Steps 101 to 107 are performed successively in a cyclical manner. In particular in this case, the cycle corresponds to a data transfer cycle of the communications network. The time value or counter value to be sent is packaged or inserted into a message, which is sent to the first node via the communications network in accordance with the transfer cycle. It is preferably provided to delay determining the counter value until a defined time interval from a message transmission, so that it is advantageously possible to send to the first node a counter value that is as recent as possible. The defined time interval lies in the microsecond range for instance. This achieves in particular the technical advantage that any jitter in generating or determining the time value or counter value can be minimized.
Once the steps 101 to 107 have been performed twice, the first node then has available two time values or counter values from the second node that were determined at two consecutive time points. In addition, the first node also has available two further time values or counter values, which correspond to those counter values at the respective receive times. In a step 109, the first node compares a difference between the two time values from the second node with a difference between the two further time values from the first node. Thus this means that the first node forms a difference between the two time values from the second node. The first node also forms a difference between the two further time values from the first node. These two differences are compared with each other. In the ideal case, when the two internal timers of the two nodes are running synchronously with each other, the two differences should be equal. If, on the other hand, the further internal timer of the first node is running faster or slower than the internal timer of the second node, then there is disparity in the respective differences. Should this disparity be greater than a predetermined threshold value, it is provided according to step 111 that the first node goes into an error state. This threshold value depends in particular on the specific application and must take into account particularly parameters such as transfer rate, transmission path and jitter, for example. This is why there is the threshold value, because typically the ideal case rarely occurs in a real environment.
Thus the method according to the invention advantageously makes it possible for a second node of the communications network to monitor the first node to check that the internal timer of the first node is not running faster or slower than the internal timer of the second node. This is especially important and particularly advantageous in particular when a safety-oriented application is being executed in the first node and said execution is performed on the basis of a clock provided by the further internal timer. Such execution may be, for example, switching on or switching off specific actuators or final control elements that are controlled on the basis of the safety-oriented application. By virtue of the timer of the second node being used to monitor the synchronous behavior of the timer of the first node, it is advantageously no longer necessary to provide a master clock or master timer that is formed separately from the two nodes. Since corresponding differences are being compared here, it is hence no longer necessary for absolute time information to be transmitted via the communications network. This reduces a corresponding volume of data.
In one embodiment, the communications network is a Fieldbus communications network. This Fieldbus is an EtherCAT Fieldbus, for example. The protocol that is used to send the time values to the first node via the communications network is a Safety over EtherCAT protocol, for instance. This protocol has the advantage in particular of being a SIL3-certified protocol, i.e. a safety protocol. It is generally provided according to one embodiment that communication via the communications network is performed on the basis of the Safety over EtherCAT protocol.
FIG. 2 shows a system 201 for monitoring a first node of a communications network.
The system 201 comprises a first node 203 and a second node 205. For communication via the communications network 207, which is a Fieldbus communications network for instance, the two nodes 203, 205 each comprise a communications interface. Communication between the two nodes 203, 205 is performed on the basis of a safety protocol, for instance on the basis of the Safety over EtherCAT protocol in this case. The reference sign 209 points to an arrow which symbolizes a data transfer from the first node 203 to the second node 205 via the Fieldbus 207. Similarly, the reference sign 211 points to an arrow which symbolizes a data transfer from the second node 205 to the first node 203 via the Fieldbus 207. This data transfer 211 transmits both data, for instance payload data, and time values or counter values that the second node 205 has determined as already explained in this description.
The second node 205 has a dual-channel design. This means that the second node 205 comprises two processors 213, 215, which can be designed as microprocessors or microcontrollers, for instance. In addition, the second node 205 comprises an internal timer 219. The internal timer 219 is a millisecond timer, for example. The internal timer 219 provides a clock, for example a millisecond clock, on the basis of which a counter is incremented or decremented. At consecutive time points, the counter value at each time point is sent via the Fieldbus 207 to the first node 203 in accordance with the data transfer 211. This uses a safety protocol 221, which in this case is the Safety over EtherCAT protocol, for example. It is preferably provided to delay determining the relevant counter value until a defined time interval from the time of the data transfer or message transmission 211. A counter value that is as recent as possible is thus advantageously used for sending to the first node 203.
The first node 203 receives these counter values in succession and determines in response to each receipt a counter value of an internal counter of the first node 203, which internal counter is incremented or decremented on the basis of a further internal timer of the first node 203. This further internal timer of the first node 203 is intended to provide a clock that is the same as, or proportional to, the internal timer 219 of the second node 205. Thus this means that there is meant to be at least a defined relationship between the respective clocks.
In order now to determine whether the clock of the further internal timer of the first node 203 is running faster or slower than the clock of the internal timer 219 of the second node 205, it is provided according to the invention that a processor 223 of the first node 203 forms respective differences for the respective time values or counter values, and compares said differences with each other. Should the differences have a disparity that is greater than a defined threshold value, then the processor 223 and hence also the node 203 goes into an error state. The first node 203 has a single-channel design in that it has a single processor 223, although this processor can certainly have a plurality of cores in embodiments that are generally independent of this specific exemplary embodiment.
FIG. 3 shows a node 301 for a communications network. The node 301 is an embodiment of a second node for the communications network.
In general, such a node 301 comprises a communications interface 303, an internal timer 305 and a processor 307. The internal timer 305 provides a clock. The processor 307 is designed to determine a time value on the basis of the internal timer. The communications interface 303 is designed to send via the communications network time values, which are determined by the processor 307 at two consecutive time points, to a further node, for example to the first node of the communications network, for instance the node 203 as shown in FIG. 2.
FIG. 4 shows a further node 401 for a communications network. The node 401 shown in FIG. 4 is a first node in the sense of this description. For example, the node 401 is the node 203 shown in FIG. 2.
In general, such a node 401 has the following design. It comprises a communications interface 403, which can be referred to as a further communications interface to make a distinction from the communications interface of the second node 301 shown in FIG. 3.
The node 401 also comprises an internal timer 405, which can likewise be referred to as a further internal timer to make said internal timer more easily distinguishable from the internal timer 305 of the node 301.
The node 401 also comprises a processor 407, which can be referred to likewise as a further processor to make a distinction from the processor 307.
The further communications interface 403 is designed to receive time values from a further node, for example from the node 301, via the communications network. The processor 407 is designed to determine, in response to each receipt of the time values, a further time value, which is based on the internal timer 405, and to compare a difference between the two received time values with a difference between the two further time values. The node 401, in particular the processor 407, is designed to go into an error state depending on the comparison.
Thus the invention includes in particular the idea of providing a method that can be used to monitor a single-channel safe system (first node) by transmitting timer values (time values or counter values) from a dual-channel safe system (second node). It is particularly provided that a safety protocol (in this case FSoE, Safety over EtherCAT) is used to transfer data between a PC installed with a PC-based safety runtime component (first node) and a safety-oriented device (second node) in a safe (SIL3) manner. A Fieldbus (preferably also Ethernet-based) is used for communication between these devices.
Data is transferred cyclically between the two devices by means of the safety protocol. A timer value is additionally transmitted in the channel from the safety device to the single-channel device. This timer value is generated by the safety device, which has a dual-channel design.
The PC-based safety runtime component has its own timer, which is compared with the transmitted timer value. If this CPU establishes that the timer values are diverging inadmissibly, the CPU goes into an error state.
This comparison of the timer values is needed to ensure that the timer of the single-channel system does not slow down or speed up inadmissibly and thereby prevent the safety-oriented application, which is executed in said system, from being able to execute correctly. This is particularly important for the timing characteristics of switch-on and/or switch-off delays, which are often used in safety-oriented applications.
The timer generation function is activated, for example, by the definition of the process image of the safety device.
The timer is generated by a high-priority timer task on one of the two μC (microcontrollers) of the second node. The two microcontrollers monitor each other, with the result that any malfunction in the hardware and/or software is detected (SIL3). The determined timer value is packaged into the safety protocol and transmitted to the single-channel system (first node) in the next FSoE communication cycle.
In order to minimize the jitter in the timer generation, it is preferable to delay until shortly before message transmission (defined time interval) and then to use the current timer value.
Timer generation preferably still continues even in the event of a module error in the safety device.
A safety protocol, for instance in this case FSoE (IEC61784-3-12), which is SIL3-certified, is used for the transmission.
Thus this invention describes a timer value (from the second node), which can be provided at SIL3 quality to a single-channel safe system (first node).
This invention has been described with respect to exemplary embodiments. It is understood that changes can be made and equivalents can be substituted to adapt these disclosures to different materials and situations, while remaining with the scope of the invention. The invention is thus not limited to the particular examples that are disclosed, but encompasses all the embodiments that fall within the scope of the claims.

Claims (13)

What is claimed is:
1. A method for monitoring a first node in a fieldbus communications network by a second node,
wherein the second node of the fieldbus communications network determines at two consecutive time points first and second time values, which are based on an internal timer of the second node, and sends the first and second time values to the first node via the fieldbus communications network, the first and second time values equaling first and second counter values, respectively, which are incremented or decremented on the basis of the internal timer of the second node, each counter value being inserted into a respective message, the messages being sent successively to the first node in accordance with a transfer cycle, the second node having a dual-channel design comprising two processors which monitor each other for malfunctions, both processors determining the first and second time values,
wherein the first node, in response to receipt of the first and second time values, determines third and fourth time values, which are based on a further internal timer of the first node, the third and fourth time values equaling third and fourth counter values, respectively, which are incremented or decremented on the basis of the further internal timer of the first node,
wherein the first node compares a difference between the first and second time values from the second node with a difference between the third and fourth time values from the first node, and
wherein the first node executes a safety-oriented application on the basis of a clock provided by the further internal timer and goes into an error state if the respective differences differ by a defined threshold value, wherein the threshold value depends on the safety-oriented application and one or more respective parameters selected from transfer rate, transmission path, and jitter, and wherein the error state indicates or signifies that execution of the safety-oriented application in the first node is stopped.
2. The method as claimed in claim 1, wherein the first node has a single-channel design.
3. The method as claimed in claim 2, wherein the time values from the dual-channel second node are determined at a defined time interval from the respective send times of the time values.
4. The method as claimed in claim 2, wherein the dual-channel second node sends the time values to the single-channel first node regardless of a module error associated with an electronic module connected to the dual-channel second node.
5. The method as claimed in claim 1, wherein a safety protocol is used for a data transfer between the first node and the second node on the communications network, the safety protocol being a Safety over EtherCAT protocol.
6. A method for monitoring a first node in a fieldbus communications network by a second node, wherein the first node has a single-channel design and executes a safety-oriented application, wherein the second node has a dual-channel design, and wherein a safety protocol is used for a data transfer between the first node and the second node on the fieldbus communications network, comprising the steps:
determining in the dual-channel second node at two consecutive time points first and second time values, which are based on an internal timer of the dual-channel second node, and the dual-channel second node sending the first and second time values to the single-channel first node via the fieldbus communications network, the single-channel first node receiving the first and second time values and determining in response to receipt of the first and second time values, third and fourth time values, respectively, which are based on a further internal timer of the single-channel first node, such that the third and fourth time values are present in the single-channel first node,
the single-channel first node comparing a difference between the first and second time values from the dual-channel second node with a difference between the third and fourth further time values from the single-channel first node, wherein the single-channel first node executes the safety-oriented application on the basis of the further internal timer of the first node and goes into an error state if a disparity in the difference between the first and second time values from the second node and the difference between the third and fourth time values from the first node is greater than a predetermined threshold value, the threshold value depending on the safety-oriented application and one or more respective parameters selected from transfer rate, transmission path, and jitter, wherein the error state indicates or signifies that execution of the safety-oriented application in the first node is stopped.
7. The method as claimed in claim 6, wherein the time values from the dual-channel second node are determined at a defined time interval from the respective send times of the time values.
8. The method as claimed in claim 6, wherein the safety protocol is the Safety over EtherCAT protocol.
9. The method as claimed in claim 6, wherein the dual-channel second node sends the time values to the single-channel first node regardless of a module error associated with an electronic module connected to the dual-channel second node.
10. A monitoring system comprising a first node and a second node in a fieldbus communications network,
wherein the first node has a single-channel design comprising a processor, and executes a safety-oriented application, wherein the second node has a dual-channel design comprising two processors, which monitor each other for malfunctions, and wherein a safety protocol is used for a data transfer between the first node and the second node on the fieldbus communications network,
wherein the dual-channel second node further comprises an internal timer and a communications interface, wherein one processor of the dual-channel second node determines a time value on the basis of the internal timer under monitoring of the other processor of the dual-channel second node, and wherein the communications interface sends the determined time values to the single-channel first node via the communications network,
wherein the first node comprises a further internal timer and a further communications interface, wherein the communications interface receives the time values from the dual-channel second node via the communications network, and wherein the processor of the single-channel first node determines, in response to each receipt of the sent time values from the dual-channel second node, a further time value based on the further internal timer, and compares a difference between the two time values received from the dual-channel second node with a difference between the two further time values determined by the single-channel first node, wherein the first node goes into an error state if the respective differences differ by a defined threshold value, the threshold value depending on execution of a safety-oriented application in the first node and one or more respective parameters selected from transfer rate, transmission path, and jitter, wherein the error state indicates or signifies that the execution of the safety-oriented application in the first node is stopped.
11. The monitoring system as claimed in claim 10, wherein the one processor of the dual-channel second node determines the time values from the dual-channel second node at a defined time interval from respective send times of the time values.
12. The monitoring system as claimed in claim 10, wherein the safety protocol is the Safety over EtherCAT protocol.
13. The monitoring system as claimed in claim 10, wherein the dual-channel second node sends the time values to the single-channel first node regardless of a module error associated with an electronic module connected to the dual-channel second node.
US15/088,299 2014-10-14 2016-04-01 Method for monitoring a first node in a communications network and monitoring system Active 2035-12-02 US10924371B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102014114883.5 2014-10-14
DE102014114883.5A DE102014114883A1 (en) 2014-10-14 2014-10-14 Method and system for monitoring a first subscriber of a communication network
PCT/EP2015/073758 WO2016059100A1 (en) 2014-10-14 2015-10-14 Method for monitoring a first participant in a communication network, and monitoring system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/073758 Continuation WO2016059100A1 (en) 2014-10-14 2015-10-14 Method for monitoring a first participant in a communication network, and monitoring system

Publications (2)

Publication Number Publication Date
US20160218946A1 US20160218946A1 (en) 2016-07-28
US10924371B2 true US10924371B2 (en) 2021-02-16

Family

ID=54329522

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/088,299 Active 2035-12-02 US10924371B2 (en) 2014-10-14 2016-04-01 Method for monitoring a first node in a communications network and monitoring system

Country Status (5)

Country Link
US (1) US10924371B2 (en)
EP (1) EP3042472B1 (en)
CN (1) CN105900360B (en)
DE (1) DE102014114883A1 (en)
WO (1) WO2016059100A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102017123911A1 (en) * 2017-10-13 2019-04-18 Phoenix Contact Gmbh & Co. Kg Method and apparatus for monitoring the response time of a security function provided by a security system
US11051230B2 (en) 2018-08-22 2021-06-29 Bae Systems Information And Electronic Systems Integration Inc. Wireless resilient routing reconfiguration linear program
WO2020049698A1 (en) * 2018-09-06 2020-03-12 三菱電機株式会社 Communication system, communication device, method, and program
CN111311911B (en) * 2020-02-24 2022-02-18 武汉中科通达高新技术股份有限公司 Data management method and device for electronic police system and electronic equipment

Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4805107A (en) * 1987-04-15 1989-02-14 Allied-Signal Inc. Task scheduler for a fault tolerant multiple node processing system
US5477458A (en) * 1994-01-03 1995-12-19 Trimble Navigation Limited Network for carrier phase differential GPS corrections
US6449291B1 (en) * 1998-11-24 2002-09-10 3Com Corporation Method and apparatus for time synchronization in a communication system
CN1373949A (en) 1999-09-13 2002-10-09 西门子公司 Arrangement for synchronizing communication system components coupled via communication network
US20040088406A1 (en) * 2002-10-31 2004-05-06 International Business Machines Corporation Method and apparatus for determining time varying thresholds for monitored metrics
DE10361178A1 (en) 2003-01-31 2004-12-02 Rockwell Automation Technologies, Inc., Mayfield Heights Data aging monitoring device for security networks
US6829717B1 (en) * 2000-08-24 2004-12-07 Nortel Networks Limited Method and apparatus for generating timing information
US20050232151A1 (en) * 2004-04-19 2005-10-20 Insors Integrated Communications Network communications bandwidth control
WO2008053039A1 (en) 2006-11-03 2008-05-08 Robert Bosch Gmbh Device and method for manipulating communication messages
US20080150713A1 (en) * 2006-11-15 2008-06-26 Phoenix Contact Gmbh & Co. Kg Method and system for secure data transmission
US20090161806A1 (en) * 2007-12-19 2009-06-25 Apple Inc. Microcontroller clock calibration using data transmission from an accurate third party
DE102008007672A1 (en) 2008-01-25 2009-07-30 Pilz Gmbh & Co. Kg Method and device for transmitting data in a network
US20120023277A1 (en) * 2010-07-16 2012-01-26 Siemens Aktiengesellschaft Method for Operating an Automation Device
US20120089861A1 (en) * 2010-10-12 2012-04-12 International Business Machines Corporation Inter-processor failure detection and recovery
US20130034197A1 (en) * 2011-08-05 2013-02-07 Khalifa University of Science, Technology, and Research Method and system for frequency synchronization
US20130111087A1 (en) * 2011-10-27 2013-05-02 Bernecker + Rainer Industrie-Elektronik Ges.M.B.H. Method and a bus device for transmitting safety-oriented data
US20130158681A1 (en) * 2011-12-14 2013-06-20 Siemens Aktiengesellschaft Safety-Oriented Controller in Combination with Cloud Computing
WO2013094072A1 (en) 2011-12-22 2013-06-27 トヨタ自動車 株式会社 Communication system and communication method
US20130195439A1 (en) * 2012-01-30 2013-08-01 Christophe Mangin Transparent protection switching operation in a pon
US20130254443A1 (en) * 2012-03-06 2013-09-26 Softing Ag Method For Determining The Topology Of A Serial Asynchronous Databus
US8549136B2 (en) * 2007-10-22 2013-10-01 Phoenix Contact Gmbh & Co. Kg System for operating at least one non-safety-critical and at least one safety-critical process
EP2646100A1 (en) 2010-12-06 2013-10-09 Poly Medicure Limited Intravenous catheter apparatus
US20130266306A1 (en) * 2011-02-08 2013-10-10 Mitsubishi Electric Corporation Time synchronization method for communication system, slave station apparatus, master station apparatus, control device, and program
CN103618383A (en) 2013-11-28 2014-03-05 国家电网公司 Power distribution network monitoring and management system
DE102012023748A1 (en) 2012-12-04 2014-06-05 Valeo Schalter Und Sensoren Gmbh Method for synchronizing sensors on a data bus
WO2014090612A1 (en) 2012-12-14 2014-06-19 Continental Automotive Gmbh Synchronization of data packets in a data communication system of a vehicle
US20140372840A1 (en) * 2013-06-14 2014-12-18 Siemens Aktiengesellschaft Method and System for Detecting Errors in the Transfer of Data from a Transmitter to At Least One Receiver
US20150071309A1 (en) * 2013-09-11 2015-03-12 Khalifa University of Science , Technology, and Research Method and devices for frequency distribution

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102523136A (en) * 2011-12-22 2012-06-27 东南大学 Wireless sensor network data link layer protocol test method and system
DE102012205445A1 (en) 2012-04-03 2013-10-10 Siemens Aktiengesellschaft automation equipment

Patent Citations (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4805107A (en) * 1987-04-15 1989-02-14 Allied-Signal Inc. Task scheduler for a fault tolerant multiple node processing system
US5477458A (en) * 1994-01-03 1995-12-19 Trimble Navigation Limited Network for carrier phase differential GPS corrections
US6449291B1 (en) * 1998-11-24 2002-09-10 3Com Corporation Method and apparatus for time synchronization in a communication system
CN1373949A (en) 1999-09-13 2002-10-09 西门子公司 Arrangement for synchronizing communication system components coupled via communication network
US6829717B1 (en) * 2000-08-24 2004-12-07 Nortel Networks Limited Method and apparatus for generating timing information
US20040088406A1 (en) * 2002-10-31 2004-05-06 International Business Machines Corporation Method and apparatus for determining time varying thresholds for monitored metrics
DE10361178A1 (en) 2003-01-31 2004-12-02 Rockwell Automation Technologies, Inc., Mayfield Heights Data aging monitoring device for security networks
US20050232151A1 (en) * 2004-04-19 2005-10-20 Insors Integrated Communications Network communications bandwidth control
WO2008053039A1 (en) 2006-11-03 2008-05-08 Robert Bosch Gmbh Device and method for manipulating communication messages
US20080150713A1 (en) * 2006-11-15 2008-06-26 Phoenix Contact Gmbh & Co. Kg Method and system for secure data transmission
US8549136B2 (en) * 2007-10-22 2013-10-01 Phoenix Contact Gmbh & Co. Kg System for operating at least one non-safety-critical and at least one safety-critical process
US20090161806A1 (en) * 2007-12-19 2009-06-25 Apple Inc. Microcontroller clock calibration using data transmission from an accurate third party
CN101960755A (en) 2008-01-25 2011-01-26 皮尔茨公司 Method and device for transmitting data in a network
DE102008007672A1 (en) 2008-01-25 2009-07-30 Pilz Gmbh & Co. Kg Method and device for transmitting data in a network
US20120023277A1 (en) * 2010-07-16 2012-01-26 Siemens Aktiengesellschaft Method for Operating an Automation Device
US20120089861A1 (en) * 2010-10-12 2012-04-12 International Business Machines Corporation Inter-processor failure detection and recovery
EP2646100A1 (en) 2010-12-06 2013-10-09 Poly Medicure Limited Intravenous catheter apparatus
US20130266306A1 (en) * 2011-02-08 2013-10-10 Mitsubishi Electric Corporation Time synchronization method for communication system, slave station apparatus, master station apparatus, control device, and program
US20130034197A1 (en) * 2011-08-05 2013-02-07 Khalifa University of Science, Technology, and Research Method and system for frequency synchronization
US20130111087A1 (en) * 2011-10-27 2013-05-02 Bernecker + Rainer Industrie-Elektronik Ges.M.B.H. Method and a bus device for transmitting safety-oriented data
US20130158681A1 (en) * 2011-12-14 2013-06-20 Siemens Aktiengesellschaft Safety-Oriented Controller in Combination with Cloud Computing
WO2013094072A1 (en) 2011-12-22 2013-06-27 トヨタ自動車 株式会社 Communication system and communication method
EP2797263A1 (en) 2011-12-22 2014-10-29 Toyota Jidosha Kabushiki Kaisha Communication system and communication method
US20130195439A1 (en) * 2012-01-30 2013-08-01 Christophe Mangin Transparent protection switching operation in a pon
US20130254443A1 (en) * 2012-03-06 2013-09-26 Softing Ag Method For Determining The Topology Of A Serial Asynchronous Databus
DE102012023748A1 (en) 2012-12-04 2014-06-05 Valeo Schalter Und Sensoren Gmbh Method for synchronizing sensors on a data bus
WO2014090612A1 (en) 2012-12-14 2014-06-19 Continental Automotive Gmbh Synchronization of data packets in a data communication system of a vehicle
US20140372840A1 (en) * 2013-06-14 2014-12-18 Siemens Aktiengesellschaft Method and System for Detecting Errors in the Transfer of Data from a Transmitter to At Least One Receiver
US20150071309A1 (en) * 2013-09-11 2015-03-12 Khalifa University of Science , Technology, and Research Method and devices for frequency distribution
CN103618383A (en) 2013-11-28 2014-03-05 国家电网公司 Power distribution network monitoring and management system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
English Translation of Chinese Search Report for Chinese Patent Application No. 201580004141.3, dated Aug. 16, 2017 (2 pages).

Also Published As

Publication number Publication date
CN105900360A (en) 2016-08-24
DE102014114883A1 (en) 2016-04-14
EP3042472B1 (en) 2017-05-31
US20160218946A1 (en) 2016-07-28
WO2016059100A1 (en) 2016-04-21
CN105900360B (en) 2018-04-06
EP3042472A1 (en) 2016-07-13

Similar Documents

Publication Publication Date Title
US8369966B2 (en) Controller network and method for transmitting data in a controller network
US10924371B2 (en) Method for monitoring a first node in a communications network and monitoring system
US10061345B2 (en) Apparatus and method for controlling an automated installation
US9891142B2 (en) Time-stamping and synchronization for single-wire safety communication
US7280565B2 (en) Synchronous clocked communication system with decentralized input/output modules and method for linking decentralized input/output modules into such a system
EP2137892B1 (en) Node of a distributed communication system, and corresponding communication system
RU2665890C2 (en) Data management and transmission system, gateway module, input/output module and process control method
Fredriksson CAN for critical embedded automotive networks
JP5444207B2 (en) Method and system for secure transmission of processing data to be cyclically transmitted
EP3719596B1 (en) Control device and control method
KR101519719B1 (en) Message process method of gateway
EP3979527A1 (en) System and method of network synchronized time in safety applications
US20180373213A1 (en) Fieldbus coupler and system method for configuring a failsafe module
CN100498607C (en) Data transfer method and automation system used in said data transfer method
CN108293014B (en) Communication network, method for operating the same and participants in the communication network
EP3594769A1 (en) Control device and control method
US10986556B2 (en) Circuit for monitoring a data processing system
JP5490112B2 (en) Monitoring system
JP6587566B2 (en) Semiconductor device
Elia et al. Analysis of Ethernet-based safe automation networks according to IEC 61508
Bertoluzzo et al. Application protocols for safety-critical CAN-networked systems
US20240007773A1 (en) Safety Communication Method, Communication Apparatus, Safety Communication System and Control System
Kanamaru et al. Safety field network technology and its implementation
EP4149028A1 (en) Synchronization for backplane communication
Silva et al. Assessment of multi-bus fault-tolerant communications

Legal Events

Date Code Title Description
AS Assignment

Owner name: BECKHOFF AUTOMATION GMBH & CO. KG, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ELLERBROCK, OLIVER;SACHS, JENS;ZUTZ, ROBERT;SIGNING DATES FROM 20160406 TO 20160408;REEL/FRAME:038252/0108

AS Assignment

Owner name: BECKHOFF AUTOMATION GMBH, GERMANY

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE NAME OF THE ASSIGNEE PREVIOUSLY RECORDED ON REEL 038252 FRAME 108. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNORS:ELLERBROCK, OLIVER;SACHS, JENS;ZUTZ, ROBERT;REEL/FRAME:039502/0457

Effective date: 20160719

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

AS Assignment

Owner name: BECKHOFF AUTOMATION GMBH, GERMANY

Free format text: CHANGE OF ASSIGNEE ADDRESS;ASSIGNOR:BECKHOFF AUTOMATION GMBH;REEL/FRAME:051057/0632

Effective date: 20191108

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STCF Information on status: patent grant

Free format text: PATENTED CASE